In a computing environment, auditing is typically performed in order to determine such facts as logon, data access, or other security-relevant events, or to detect past or ongoing attacks. Typically, machines, and the programs that run on them, record event logs, and these event logs can be analyzed to determine conditions that are, or were, present at the machine; event monitoring typically captures data such as system status or system performance.
Auditing is typically done on a per-machine, or per-entity basis—i.e., the event log generated by one machine, or by one entity (e.g., by a particular program running on one machine) is analyzed to determine whatever information can be gleaned from that one machine or entity. However, the overall picture of what occurs on a machine is not always apparent from one log, because a single log does not typically contain the information that describes an actual usage scenario. In a more typical usage scenario, a user logs onto a computer and runs several programs on that computer. Each of the programs, in turn, may access other servers (e.g., database servers, mail servers, etc.), and these servers may exist on different machines. An enterprise-wide attack typically does not take place on one machine, but rather infects an entire local network at several different entry points. Thus, a single log generated by one program running on one machine may give a very narrow view of the conditions that are present, since the true usage pattern may be spread out across several machines and programs, and thus among several different logs.
Conventionally, the process of auditing does not attempt to glean context by comparing and correlating various different logs. One reason for this is that it is often difficult to determine which events in different logs correspond to the same user, because the logs tend to identify the same user differently. For example, when the user signs onto a desktop operating system (OS), and then the operating system tenders the user's credentials to a mail server to retrieve the user's mail, the OS log and the mail server log may identify that same user differently in their logs.